mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: mckinnon () ISIS2000 COM (Bill McKinnon)
Date: Wed, 16 Feb 2000 09:06:47 -0700
On Tue, 15 Feb 2000, Andrew Danforth wrote:
On Mon, 14 Feb 2000, Bill wrote:
Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
from doing anything harmful, as well?
Not really. Consider the following snippet:
open PASSWD, '< /etc/passwd';
$var = '&PASSWD'; # also try $var = '&3';
open IN, "< $var";
print while (<IN>);
Perl's open will dup other file descriptors if < is followed by &. This
isn't as potentially problematic as forking commands, but there may be
circumstances where someone could dup a filehandle and cause your script
to behave strangely/output sensitive information/etc.
Interesting. And for the curious, this doesn't seem to be noticed by
Perl's tainting mechanism, unless I'm misunderstanding something:
$ perl -T - '&PW'
open(PW, "/etc/passwd") or die "open(): $!\n";
$var = shift;
open(FH, "< $var") or die "open(): $!\n";
(hit CTRL D here)
Anyway, this is probably getting off topic...